The rapid growth in connected medical devices has obliged regulators to take further steps to ensure their secure operation after a number of hacks and vulnerabilities concerning products such as insulin pumps.
A new technical paper discusses the latest guidance issued by the US Food and Drug Administration (FDA) that relates to the implementation of embedded software. There are three notes and which are broadly illustrative of the advice and expectations of other medical agencies in countries and regions such as the European Union and Japan.
Author Robert Bates is responsible for safety, quality and security across the embedded portfolio at Siemens Digital Industries Software, and describes the three notes as follows:
- “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” discusses recommendations regarding cybersecurity device design, labeling, and documentation to be included in premarket submissions for devices with cybersecurity risk.
- “Postmarket Management of Cybersecurity in Medical Devices” discusses management of cybersecurity issues found after a product’s release
- “Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software” discusses how FDA guidelines can be achieved when using OTS software (such as Linux or a commercial RTOS) in your device.
In their context, he reviews design-for-security approaches that address current, unknown and potential future risks, including those identified as formal CVEs (Common Vulnerabilities and Exposures) for OSes such as Linux and others. He also addresses the testing strategies that will help confirm the security of your work and in-the-field medical device risk management.
“By following the guidance in this paper, Bates writes, “your product will be: more difficult to successfully exploit; protected against known and unknown exploits when released; faster to update to close any newly found
exploits; [and] more secure, giving your customers confidence that they are protected even if something goes
“The last point is especially important. Customers are aware that there is no device that is completely free of bugs. What they want to know is how you are minimizing defects and their impact, and how ready are you when something inevitably goes wrong.”
Medical Device Security: Achieving Regulatory Approval is available for download here.